Mixed Bag Data Security Legislation Inches Forward, USACM Comments on Proposal

By Cameron
March 29, 2006

Today Congress took another step forward in trying to deal with the numerous data breaches that continue to make news as the House Energy and Commerce Committee unanimously passed legislation (H.R. 4127) that would force companies to shore up their security practices.

We’ve covered this issue in other posts (1,2), but for background the legislation has four main components:

  • A requirement that all businesses have data security plans in place,
  • Special regulations for so-called “databrokers,”
  • A nationwide notification requirement, and
  • Preemption of state law.

As the bill was moving through the committee process USACM issued a new letter finding that the draft legislation embraced several of the Fair Information Practices (FIP) principles recommended in a previous letter to Congress. The bill requires information brokers to verify the accuracy of personal information, allows consumers access to personal information held by brokers, and introduces additional accountability through mandatory audit logs — all welcome steps forward. However, USACM expressed concern about the legislation’s notification provisions if there is a breach of a company’s security.

The bill would require companies to notify consumers of a data breach unless only if there is a reasonable risk that the acquired data can be used for unlawful practices. Futher, it states that if a company encrypts the data or uses other technologies or practices that render data unreadable or indecipherable, then these technologies create an automatic exemption from notification (e.g. it argues there is little risk with encryption).

This troubled USACM in two different respects. First, the creation of a risk-based standard for notification may not improve security practices. Clearly if there is a breach, regardless of the risk to consumers, a company’s security system should be hardened to deal with the vulnerabilities. If there are multiple breaches, then notification should be required. Second, just utilizing technology such as encryption doesn’t necessarily mean that the risk of identity theft is mitigated if there is a breach. From the USACM letter:

“We are concerned, however, that specifying technologies to mitigate risk without ensuring that these tools are part of a comprehensive system is problematic. If the goal is to prevent exposed data being used for identity theft, then the standard should address both the robustness of the technology used in the system and how it is implemented. Encryption or other techniques for obfuscating data are valuable security tools; however, without comprehensive security practices in place they are, by themselves, incomplete protection.

For example, reliance on encryption, particularly if it is not properly used, can create a false sense of security. Often this will lead to so-called “brittle” protections, where whole systems fail as a consequence of simple component failures. A company may use an Encrypting File System to store all its customers’ personal information. If an unauthorized user gained access to the system but not to the encryption keys, all of this information would be encoded and useless. However, if someone was able to compromise the account or accounts of authorized users on the system, the mere presence of encryption does not reduce the threat of identity theft. All the personal information on that server would now be available to the thief through his or her compromise of a password, which might equivalently compromise the decryption key.

We recommend that rather than relying on specific technologies, the test for a safe harbor should be whether personally identifiable information might be extracted or inferred from the data that is disclosed.”

While the bill is a mixed bag, it is still a step forward. The legislation will have to be reconciled against other bills moving through House Committees before it can come before the full House of Representatives for consideration. These bills include one by the House Banking Committee that we haven’t had the chance to analyze. The Senate bills are also still in play, so there is a long way to go before these are law.